Susan operates a curtain business with fewer than 19 employees. The business is a small/medium sized enterprise (SME). Susan has been the director and sole shareholder of the business for 25 years. Over this time, the databases of the business have accumulated hundreds of customer emails which are stored in an Excel spreadsheet and are used to address the quarterly newsletter.
The Privacy Act 1993 controls how agencies, which include SMEs and social clubs, collect, use, disclose, store, and give access to personal information. The new Privacy Act 2020 is set to replace its predecessor 1993 Act on 1 November 2020.
According to Privacy Commissioner John Edwards, the most notable change to the new Act will be the introduction of a requirement to report serious privacy breaches. If there is a breach that has caused serious harm or poses a risk of causing someone serious harm, it must be reported to the Privacy Commissioner’s office and to any affected individuals.
A privacy breach requires an action inconsistent with one of the twelve privacy principles. Mainly, these principles regulate how an agency collects personal information, its storage and security, and its retention. Currently, reporting privacy breaches is not required.
This change to the Act is in-line with the approaches taken by both Australia and Canada. An objective statutory test for determining and reporting harm will likely provide the New Zealand privacy law landscape with more certainty and consistency in resolving breaches of the Act, particularly in light of the country’s rapid technological evolution. Notably, SMEs becoming more technologically inclined.
As the commencement date of the new Act will soon be upon us, this may be a good opportunity for agencies to review and update their existing policies and procedures to prevent, mitigate, and report breaches, while ensuring compliance with the law.
The commercial team at Schnauer & Co Lawyers are here to support you throughout this process.
Some quick tips for Susan
Please be aware that these are general guidance points and do not constitute legal advice.